fix(hedgedoc): Futureproof helm chart

This patch adds the unreleased healthcheck path as well as setting hedgedoc up for PSS of restricted.

fix(hedgedoc): Futureproof helm chart
14861122 · Sheogorath · 309ea066 · 14861122 · 14861122 · 14861122
Verified Commit 14861122 authored 1 year ago by Sheogorath
--- a/charts/hedgedoc/Chart.yaml
+++ b/charts/hedgedoc/Chart.yaml
@@ -14,7 +14,7 @@ keywords:
 sources:
    - https://github.com/hedgedoc/hedgedoc/tree/master
    - https://git.shivering-isles.com/shivering-isles/infrastructure-gitops/-/tree/main/charts/hedgedoc
-version: 0.2.3
+version: 0.3.0
 # renovate: image=quay.io/hedgedoc/hedgedoc
 appVersion: 1.9.7
 maintainers:

--- a/charts/hedgedoc/README.md
+++ b/charts/hedgedoc/README.md
 # hedgedoc

-![Version: 0.2.3](https://img.shields.io/badge/Version-0.2.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.7](https://img.shields.io/badge/AppVersion-1.9.7-informational?style=flat-square)
+![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.7](https://img.shields.io/badge/AppVersion-1.9.7-informational?style=flat-square)

 A platform to write and share markdown.

@@ -72,7 +72,10 @@ A platform to write and share markdown.
 | nameOverride | string | `""` |  |
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
-| podSecurityContext | object | `{}` |  |
+| podSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
+| podSecurityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| podSecurityContext.fsGroup | int | `10000` |  |
+| podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | postgresql.auth.database | string | `"hedgedoc"` |  |
 | postgresql.auth.existingSecret | string | `""` |  |
 | postgresql.auth.password | string | `""` |  |
@@ -80,7 +83,9 @@ A platform to write and share markdown.
 | postgresql.enabled | bool | `true` |  |
 | postgresql.tls.enabled | bool | `false` |  |
 | resources | object | `{}` |  |
-| securityContext | object | `{}` |  |
+| securityContext.readOnlyRootFilesystem | bool | `true` |  |
+| securityContext.runAsNonRoot | bool | `true` |  |
+| securityContext.runAsUser | int | `10000` |  |
 | service.port | int | `80` |  |
 | service.type | string | `"ClusterIP"` |  |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |

--- a/charts/hedgedoc/templates/deployment.yaml
+++ b/charts/hedgedoc/templates/deployment.yaml
@@ -52,11 +52,19 @@ spec:
              protocol: TCP
          livenessProbe:
            httpGet:
+              {{- if (semverCompare ">1.9.7" .Chart.AppVersion)}}
+              path: /_health
+              {{-  else }}
              path: /status
+              {{- end }}
              port: http
          readinessProbe:
            httpGet:
+              {{- if (semverCompare ">1.9.7" .Chart.AppVersion)}}
+              path: /_health
+              {{-  else }}
              path: /status
+              {{- end }}
              port: http
          {{- if .Values.postgresql.tls.enabled }}
          volumeMounts:

--- a/charts/hedgedoc/tests/__snapshot__/98_snapshot_test.yaml.snap
+++ b/charts/hedgedoc/tests/__snapshot__/98_snapshot_test.yaml.snap
@@ -73,7 +73,7 @@ should match basic snapshot:
              imagePullPolicy: IfNotPresent
              livenessProbe:
                httpGet:
-                  path: /status
+                  path: /_health
                  port: http
              name: hedgedoc
              ports:
@@ -82,11 +82,21 @@ should match basic snapshot:
                  protocol: TCP
              readinessProbe:
                httpGet:
-                  path: /status
+                  path: /_health
                  port: http
              resources: {}
-              securityContext: {}
-          securityContext: {}
+              securityContext:
+                readOnlyRootFilesystem: true
+                runAsNonRoot: true
+                runAsUser: 10000
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            fsGroup: 10000
+            seccompProfile:
+              type: RuntimeDefault
          serviceAccountName: RELEASE-NAME-hedgedoc
  3: |
    apiVersion: networking.k8s.io/v1

--- a/charts/hedgedoc/values.yaml
+++ b/charts/hedgedoc/values.yaml
@@ -66,16 +66,19 @@ postgresql:

 podAnnotations: {}

-podSecurityContext: {}
-  # fsGroup: 2000
+podSecurityContext:
+  allowPrivilegeEscalation: false
+  fsGroup: 10000
+  capabilities:
+    drop:
+      - ALL
+  seccompProfile:
+    type: RuntimeDefault

-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+securityContext:
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 10000

 service:
  type: ClusterIP